Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:

[…] Didier Stevens has posted his analysis of a new Hancitor maldoc sample. “This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it”. Using a combination of his tools, Didier is able to extract the payload, which he dutifully submitted to VirusTotal. Maldoc With Process Hollowing Shellcode […]

Hi there, thanks for the guide. 🙂 just a quick question, is there a difference in results if i use radare2 on linux? I am able to decode properly using decoder.xls but unable to get the same results after running the radare2 command as per your screenshot. Thanks!

Newbie question. What did you include in the decode-search.txt file? Is there a specific expression format that is suppose to be followed? I been trying to figure out how to extract the PE file using decode-search.py from a recent Hancitor sample but to no avail.